Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
As computer networks become ubiquitous, any device that is connected to the networks is susceptible to debilitating attacks, such as viruses, worms, and cracker attacks. Typical approaches to counter these attacks include firewall techniques and anti-virus programs. Firewalls generally prevent certain types of files or packets from entering a network, and anti-virus programs typically prevent files that contain virus patterns from being executed on a device or a group of devices.
Several types of firewall techniques exist today. Some examples include packet filter, application gateway, and proxy server. The packet filter approach inspects the control information of each packet and determines whether to accept or reject the packet based on user-defined rules. The application gateway approach applies a security mechanism to certain applications, such as FTP and Telnet servers. The proxy server approach utilizes an in-between server to intercept and inspect packets between a client application and a server on a network to which the client application submits requests to. None of these existing techniques inspects the payload data portion of each packet or handles malicious code segments that spread across packet boundaries.
An anti-virus program that executes on a device generally assembles incoming packets received by the device into a file before determining whether the assembled file includes certain predetermined virus patterns. In such approaches, no inspection takes place until after a file or a block of data has been assembled. For attacks that target real-time protocols, the timing requirements of the protocols would render the aforementioned assembling-before-scanning approaches essentially inoperable.